Speaking to one of our security administrators at work, he insists that Steam is a well understood security risk and it shouldn't be installed on work machines.

Saying it's not work related I understand, but is there a genuine security threat from having it installed (and if so broadly what is it), or is this someone providing a fictional reason for not allowing something they just don't want to allow?

(As I say, I'm not disputing their right to say what should and shouldn't be installed, just trying to understand the reasons).

+1 for not wanting to be a bad guy - if he wanted to be a jerk, he could just say "You shouldn't be playing video games at work!" really loudly, in front of your boss
–
BlueRaja - Danny PflughoeftJul 27 '12 at 3:31

Steam records game usage, time and other game characteristics. In addition, Steam reports configuration details and all installed applications. So, Steam can be considered as a spyware itself when the configuration or the installed applications are an important strategy key of the company.

Anytime you install an application, you increase the attack surface for that box. This is true even in the case of antivirus. Obviously there are times when this is absolutely necessary and proper risk analysis should be completed to determine whether or not an application should become a standard for the environment.

On the other hand, we security professionals have a nasty habit of spreading FUD (Fear, Uncertainty and doubt). That is to say we make policy, rules or decisions without applying any validation to the root cause.

I have no doubt that there are vulnerabilities in Steam. Why would you think game developers are magically capable of writing secure C/C++ code, when no mainstream OS developers have been able to do so, despite that they are largely security focused?

I used to make cheats for Crysis, and accidentally stumbled across a format string vulnerability. This was a highly acclaimed game, and yet I found a vulnerability in it without even trying. Around the same time, Luigi Auriemma was finding vulnerabilities in top titles like Call of Duty 4, Halo, Quake 3, and various game tools like Ventrilio. He found tons of vulnerabilities in all these products like it was nothing. There must be tons more.

So it's safe to say that there are tons of vulnerabilities in games and related products such as Steam, and people most likely do have 0days for them, not to mention Steam devs or anyone selling a product over steam could choose to distribute malware to you.

It's still rare that you see 0days published for Steam and video games in general, so unless you are a worthwhile target, you probably aren't going to get exploited this way.

Is steam a security problem at work. Well like any other program it will have vulnerabilities. And it allows installing other programs that will also have vulnerabilities. SO yes just like Windows, IE and Office it has security issues. And in the settings you can have it send information back to the steam servers about your computer (this may be on by default) Just like Windows does and many others. (Firefox can do this as can Chrome and many others.)

So your company has said we don't want to take the risk.

As for playing games at work there are companies with video game consoles in the office, pool tables, tennis courts and they let their users play video games. Why? because their office workers are more productive when they are happy and content and morale is high so they give them these things called perks. Some of them are things like free food, health care, free parking, a fun atmosphere and gaming.